Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, banks, online payment processors or IT administrators are commonly used to lure unsuspecting public. Phishing emails may contain links to websites that are infected with malware.
Phishing emails may contain links to websites that are infected with malware. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies.
SMS Phishing or SMShing is a form of criminal activity using social engineering techniques. SMS phishing uses cell phone text messages to deliver the bait to induce people to divulge their personal information. The hook
(the method used to actually capture people's information) in the text
message may be a website URL, but it has become more common to see a
telephone number that connects to an automated voice response system.
The SMS phishing message usually contains something that demands the
target's immediate attention.
Example:"We confirm that you have
signed up for our dating service. You will be charged $2 a day unless
you cancel your order on this URL: [URL]". Or (Name of popular online
bank) confirms that you have purchased a computer from (name of popular
computer company). Visit [URL] if you did not make this online
purchase", and "(Name of a financial institution): Your account has been
suspended. Call 0xxxxxxxxxx immediately to reactivate". The hook will
be a seemingly legitimate website that asks you to "confirm" (enter)
your personal financial information, such as your credit/debit card
number, CVV code (on the back of your credit card), your ATM card PIN,
SSN, email address, and other personal information.
If the hook is a
phone number, it normally directs to a legitimate-sounding automated
voice response system, similar to the voice response systems used by
many financial institutions, which will ask for the same personal
information.
This is an example of a (complete) SMS phishing message in current
circulation: "Notice - this is an automated message from (a local credit
union), your ATM card has been suspended. To reactivate call urgent
[sic] at 866-###-####."
In many cases, the SMS phishing message will show that it came from
"5000" instead of displaying an actual telephone number. This usually
indicates the SMS message was sent by email to the cell phone rather
than from another cell phone.
This information is then used to create duplicate credit/debit/ATM
cards. There are documented cases where information entered on a
fraudulent website (used in a phishing, SMS phishing, or voice phishing attack) was used to create a credit or debit card that was then used halfway around the world within 30 minutes.
Voice Phishing is the criminal practice of using social engineering over the telephone system to gain access to private personal and financial information from the public for the purpose of financial reward.
Voice Phishing is known as Vishing. The combination of both words Voice and phishing.
The Vishing is done for getting personal and financial details of the victim. Some of the fraudsters use Voice Over IP (VOIP) by this they can spoof their caller ID.
Voice phishing or Vishing is difficult for legal authorities to monitor or trace. To protect themselves, consumers are advised to be highly suspicious when receiving messages directing them to call and provide credit card or bank numbers — vishers can in some circumstances intercept calls that consumers make when trying to confirm such messages.
Example: In this case there are two character Attacker ‘A’& Victim ’B’. Now Attacker ‘A’ somehow contacted Victim ‘B’ with his number that is spoofed and telling u some banks name (My name is XYZ calling from bank) now he will tell you that your card has been blocked or some new schemes are available for you so you please provide your debit card number and if you give 14 digit number he will ask you for CVV number that is of 3 digit. So by mistake you will give your number to him and then he will ask you for your OTP if the facilities is activated, if not then your bank password used for online transection or for online shopping. So directly he will purchase something from website or he will transfer your money.
Another simple trick used by the fraudsters is to ask the called party to hang up and dial their bank - when the caller hangs up, the fraudster does not, keeping the line open and remaining connected when the victim picks up the phone to dial. When in doubt, calling a company's telephone number listed on billing statements or other official sources is recommended as opposed to calling numbers received from messages or callers of dubious authenticity.
However, sometimes hanging up and redialing is insufficient: if the caller has not hung up, the victim might still be connected and the fraudster spoofs a dial tone down the phone line when the victim dials and a fraudster accomplice answers and impersonates whoever the victim is trying to call. Hence consumers are advised to use a different phone when dialing a company's number to confirm.
What to do for not getting into scam?
1. First of all avoid giving your information on telephone. (Because the banks will never ask such details (your 14 digit debit card number and your 3 digit CVV number)
2. If you get such calls from the bank avoid that call or ignore it and don’t give your personal information to anyone.
If this happen, what to do?
1. Immediately contact to your banks toll free number and deactivate your Debit card or credit card so he will not be able to use your card again.
2. File a complaint against that calling number.
In-Session Phishing is a form of phishing attack which relies on one web browsing session being able to detect the presence of another session (such as a visit to an online banking website) on the same web browser, and to then launch a pop-up window
that pretends to have been opened from the targeted session. This
pop-up window, which the user now believes to be part of the targeted
session, is then used to steal user data in the same way as with other
phishing attacks.
The advantage of in-session phishing to the attacker is that it does
not need the targeted website to be compromised in any way, relying
instead on a combination of data leakage within the web browser, the
capacity of web browsers to run active content, the ability of modern
web browsers to support more than one session at a time, and social
engineering of the user.